Vulnerabilities and security researches forbackwpup backwpup

Jun 07, 2024

CVE, Research URL: CVE-2017-2551
Home page URL: Security reports for BackWPup – WordPress Backup Plugin
Application: BackWPup – WordPress Backup Plugin
Date: Sep 28, 2017
Research Description: Vulnerability in Wordpress plugin BackWPup before v3.4.2 allows possible brute forcing of backup file for download.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2011-5208
Home page URL: Security reports for BackWPup – WordPress Backup Plugin
Application: BackWPup – WordPress Backup Plugin
Date: Oct 09, 2012
Research Description: Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2013-4626
Home page URL: Security reports for BackWPup – WordPress Backup Plugin
Application: BackWPup – WordPress Backup Plugin
Date: Sep 26, 2013
Research Description: Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2011-4342
Home page URL: Security reports for BackWPup – WordPress Backup Plugin
Application: BackWPup – WordPress Backup Plugin
Date: Oct 09, 2012
Research Description: PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-5504
Home page URL: Security reports for BackWPup – WordPress Backup Plugin
Application: BackWPup – WordPress Backup Plugin
Date: Jan 11, 2024
Research Description: The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to the root of another site in a shared environment and thus disable that site.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-5775
Home page URL: Security reports for BackWPup – WordPress Backup Plugin
Application: BackWPup – WordPress Backup Plugin
Date: Feb 26, 2024
Research Description: The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated attackers, with administrator-level access, to retrieve the password from the password input field in the UI or from the options table where the password is stored.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-7164
Home page URL: Security reports for BackWPup – WordPress Backup Plugin
Application: BackWPup – WordPress Backup Plugin
Date: Apr 08, 2024
Research Description: The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download backups of a site's database.
Affected versions: Min -, max -.
Status: vulnerable

Aug 18, 2024

CVE, Research URL: CVE-2023-5505
Home page URL: Security reports for BackWPup – WordPress Backup Plugin
Application: BackWPup – WordPress Backup Plugin
Date: Aug 17, 2024
Research Description: The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to the root of another site in a shared environment and thus disable that site.
Affected versions: Min -, max -.
Status: vulnerable

May 27, 2025

PSC, Research URL: PSC-2025-64571
Home page URL: Security reports for BackWPup – WordPress Backup Plugin
Application: BackWPup – WordPress Backup Plugin
Date: May 27, 2025
Research Description: BackWPup is one of the most trusted and feature-rich backup and restore plugins for WordPress, offering both flexibility and robust protection for your website’s data. Developed by WP Media—the team behind WP Rocket—BackWPup allows you to create complete backups of your WordPress installation and store them safely on external services such as Dropbox, Amazon S3, Google Drive, OneDrive, and more. But beyond its impressive features, what sets BackWPup v5.2.3 apart is its strong commitment to security. The plugin has undergone a thorough security review, code analysis, and penetration testing process, earning it the official Plugin Security Certification (PSC) with the identifier PSC-2025-64571, issued by CleanTalk.
Affected versions: Min -, max -.
Status: SAFE & CERTIFIED